[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Mixed one/two-factor authentication environment
Not necessarily. Unless there are some other unstated
requirements, IMO, implementations should be able to deal with the step-up
authentication without the logout step. It starts to get into authentication grading of course which
SAML tends to consider a “local” policy matter.. If you
accept that a 2fa is stronger than a u/p authentication at both an SP and an
IdP, then an implementation should normally accept the 2fa for getting at any
resource but the u/p authn can only get at the lower-protected resources. If the user hits a 2fa-protected resource on the SP first,
the initial AuthenticationRequest can ask for the hardware token and the
relying party should let them get to all resources. If the user hits a u/p resource on the SP first, the initial AR
would be for password and when the user subsequently hits a 2fa-protected
resource, it should just “add” to the users authn state by
requesting the IdP to authenticate them with the hardware token. There
should be no need to log the user out. On the IdP side, if the user is logged in first with u/p but it
then receives an AR asking for h/w token, it should just do the 2fa.
Shouldn’t be a need to log the user out. Well, at least that is how I would implement it. Rob Philpott RSA, the Security Division of EMC From: Tanja Sialevri
[mailto:tanja.sialevri@gmail.com] I'm working on a federation scenario where some services
require only password authentication and some two-factor authentication (hard
token). |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]